#!/bin/bash

if [ -z "$1" ]
then
    echo
    echo 'Issue a wildcard SSL certificate with ROOT CA'
    echo
    echo 'Usage: ./docker_ssl_create.sh <domain> '
    echo '    <domain>          The domain name of your site, like "ca.example.dev",'
    echo '                      The domain can not been set to IP adress!!!!!!'
    exit;
fi

CA_NAME='ca'
CA_KEY_NAME='ca-key'
CA_SERVER_KEY='server_key'
CA_SERVER_CERT='server_cert'
CA_CLIENT_KEY='key'
CA_CLIENT_CERT='cert'
BASE_DIR='/usr/local/ca/'
RSA_BITS_NUM=4096
VALID_DAYS=3650
DOCKER_START_FILE='/lib/systemd/system/docker.service'
PASSWD=801125

CRT_COUNTRY_NAME=CN
CRT_PROVINCE_NAME=Liaoning
CRT_CITY_NAME=Dalian
CRT_ORGANIZATION_NAME=7long
CRT_ORGANIZATION_UNIT_NAME=software
CRT_DOMAIN=$1

if [ ! -d $BASE_DIR ]; then
    mkdir -p $BASE_DIR
fi
cd $BASE_DIR
#创建CA私钥

openssl genrsa -aes256 -passout pass:$PASSWD -out $CA_KEY_NAME.pem $RSA_BITS_NUM

#除去密码口令
#openssl rsa -in $CA_FILE_NAME.pem -out $CA_FILE_NAME.key -passin pass:$PASSWD

#生成CA公钥

openssl req -new -x509  -passin pass:$PASSWD -days $VALID_DAYS -key $CA_KEY_NAME.pem -out $CA_NAME.pem \
    -subj "/C=${CRT_COUNTRY_NAME}/ST=${CRT_PROVINCE_NAME}/L=${CRT_CITY_NAME}/O=${CRT_ORGANIZATION_NAME}/OU=(CRT_ORGANIZATION_UNIT_NAME)/CN=${CRT_DOMAIN}"
 
    
#生成Server key

openssl genrsa -out $CA_SERVER_KEY.pem 4096

#用CA签署公钥
openssl req -subj "/CN=${CRT_DOMAIN}" -sha256 -new -key $CA_SERVER_KEY.pem -out $CA_SERVER_KEY.csr



#设置访问权限
echo "subjectAltName = DNS:${CRT_DOMAIN},IP:0.0.0.0" >> extfile.cnf
#DNS为docker 服务器IP,IP为允许访问的IP,0.0.0.0为不限制,多IP可以用
echo "extendedKeyUsage = serverAuth" >> extfile.cnf

#生成签名证书 -passin pass:${PASSWD}

openssl x509 -req -passin pass:${PASSWD} -days $VALID_DAYS -sha256 -in $CA_SERVER_KEY.csr   -CA $CA_NAME.pem -CAkey $CA_KEY_NAME.pem \
  -CAcreateserial -out $CA_SERVER_CERT.pem -extfile extfile.cnf
  
#生成客户端key.pem
openssl genrsa -out $CA_CLIENT_KEY.pem 4096
openssl req -subj '/CN=client' -new -key $CA_CLIENT_KEY.pem -out client.csr

#用秘钥做客户端身份验证
echo "extendedKeyUsage = clientAuth" >> extfile.cnf
echo "extendedKeyUsage = clientAuth" > extfile-client.cnf

#生成客户端签名证书
echo "生成客户端签名证书"
openssl x509 -req -passin pass:${PASSWD} -days $VALID_DAYS -sha256 -in client.csr -CA $CA_NAME.pem -CAkey $CA_KEY_NAME.pem \
  -CAcreateserial -out $CA_CLIENT_CERT.pem -extfile extfile-client.cnf
  
#删除无用文件
#rm -v client.csr $CA_SERVER_KEY.csr extfile.cnf extfile-client.cnf
#修改权限

chmod -v 0400 $CA_KEY_NAME.pem $CA_CLIENT_KEY.pem $CA_SERVER_KEY.pem
chmod -v 0444  $CA_NAME.pem $CA_SERVER_CERT.pem $CA_CLIENT_CERT.pem


#复制证书到docker配置目录
cp ${CA_SERVER_KEY}.* /etc/docker/
cp ${CA_SERVER_CERT}.* /etc/docker/
cp $CA_NAME.pem /etc/docker/

#更改docker启动文件
START_CMD="ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=${BASE_DIR}${CA_NAME}.pem \
--tlscert=${BASE_DIR}${CA_SERVER_CERT}.pem \
--tlskey=${BASE_DIR}${CA_SERVER_KEY}.pem \
-H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock"

sed -i '/^ExecStart/c'"${START_CMD}" ${DOCKER_START_FILE}

systemctl daemon-reload
systemctl restart docker
echo -ne "已设置完成,请把下列文件:
${CA_NAME}.pem,${CA_KEY_NAME}.pem,${CA_CLIENT_KEY}.pem,${CA_CLIENT_CERT}.pem
复制到客户端电脑上,
访问网址:https://${CRT_DOMAIN}:2375
"